




1. 通过命令display vap-profile all查看所有的VAP模板,根据SSID找到对应的VAP模板。


[Huawei] display vap-profile all
FMode   : Forward mode
STA U/D : Rate limit client up/down
VAP U/D : Rate limit VAP up/down
BR2G/5G : Beacon 2.4G/5G rate
Name     FMode     Type     VLAN      AuthType      STA U/D(Kbps)  VAP U/D(Kbps)  BR2G/5G(Mbps)  Reference  SSID
default  direct   service  VLAN 1    Open          -/-               -/-              1/6               0            HUAWEI-WLAN
vap_dot1x tunnel service  VLAN 200  WPA2+802.1X  -/-              -/-              1/6               3            dot1x_test
Total: 2




2. 查看VAP模板下的配置,检查VAP模板下绑定的安全模板和认证模板。


[Huawei] wlan
[Huawei-wlan-view] vap-profile name vap_dot1x
[Huawei-wlan-vap-prof-vap_dot1x] display this
 forward-mode tunnel
 service-vlan vlan-id 200
 ssid-profile dot1x
 security-profile security_dot1x
 authentication-profile authen_dot1x


3. 查看安全模板下的配置,安全策略需要配置为WPA/WPA2的802.1X认证和加密。


[Huawei] wlan
[Huawei-wlan-view] security-profile name security_dot1x
[Huawei--wlan-sec-prof-security_dot1x] display this
 security wpa2 dot1x aes


4. 查看认证模板下的配置,需要绑定802.1X接入模板。


[Huawei] authentication-profile name authen_dot1x
[Huawei-authentication-profile-authen_dot1x] display this
authentication-profile name authen_dot1x
 dot1x-access-profile access_dot1x
 access-domain domain_test


5. 查看802.1X接入模板下的配置,dot1x认证方式需要配置为EAP中继方式,默认为EAP中继方式。


[Huawei] dot1x-access-profile name access_dot1x
[Huawei--dot1x-access-profile-access_dot1x] display this
dot1x-access-profile name access_dot1x










[Huawei] authentication-profile name authen_dot1x
[Huawei-authentication-profile-authen_dot1x] display this
authentication-profile name authen_dot1x
 dot1x-access-profile access_dot1x
 authentication-scheme radius
 accounting-scheme radius
 radius-server radius_test





[Huawei] aaa
[Huawei-aaa] domain domain_test
[Huawei-aaa-domain-domain_test] display this
 domain domain_test
  authentication-scheme radius
  accounting-scheme radius
  radius-server radius_test




[Huawei] authentication-profile name authen_dot1x
[Huawei-authentication-profile-authen_dot1x] display this
authentication-profile name authendot1x
 dot1x-access-profile accessdot1x
 access-domain domain_test


认证域之间存在优先级,终端在优先级高的认证域中进行认证:指定接入类型的强制域 > 非指定接入类型的强制域 > 用户名中携带的合法域 > 指定接入类型的默认域 > 非指定接入类型的默认域 > 全局默认域。各种域的配置示例如下:



[Huawei-authentication-profile-authen_dot1x] display this
authentication-profile name authendot1x
 dot1x-access-profile accessdot1x
 access-domain domain_test dot1x force




[Huawei-authentication-profile-authen_dot1x] display this
authentication-profile name authendot1x
 dot1x-access-profile accessdot1x
 access-domain domain_test force





[Huawei-authentication-profile-authen_dot1x] display this
authentication-profile name authendot1x
 dot1x-access-profile accessdot1x
 access-domain domain_test dot1x




[Huawei-authentication-profile-authen_dot1x] display this
authentication-profile name authendot1x
 dot1x-access-profile accessdot1x
 access-domain domain_test


全局默认域:指在系统视图上通过domain xxx指定的全局默认域



通过命令display aaa online-fail-record mac-address H-H-H查看终端上线失败记录,用户上线失败原因(User online fail reason)显示Radius authentication reject。


[Huawei] display aaa online-fail-record mac-address 64e5-99f3-18f6
User name               : test
Domain name             : domain_test
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 32846
User login time         : 2020/10/19 1422
User online fail reason : Radius authentication reject
Authen reply message    : ErrorReason is Incorrect user na...
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test
[Huawei] trace object mac-address 64e5-99f3-18f6
[Huawei] trace enable
[BTRACE][2020/10/19 1423][6144][RADIUS][64e5-99f3-18f6]:
Received a authentication reject packet from radius server(server ip =
[BTRACE][2020/10/19 1423][6144][RADIUS][64e5-99f3-18f6]:
Server Template: 4
Server IP   :
Server Port : 1812
Protocol: Standard
Code    : 3
Len     : 176
ID      : 80
[EAP-Message                        ] [6 ] [04 22 00 04 ]
[State                              ] [16] [01u?237372O]
[Reply-Message                      ] [116] [ErrorReason is Incorrect user name or password or Incorrect dataSource or Incorrect access device key.ErrCode:4101]
[Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]
[BTRACE][2020/10/19 1423][6144][RADIUS][64e5-99f3-18f6]:Send authentication reject message to AAA.
[BTRACE][2020/10/19 1423][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_AUTHENREJECT message(51) from RADIUS module(235).




通过命令display aaa online-fail-record mac-address H-H-H查看终端上线失败记录,用户上线失败原因(User online fail reason)显示The radius server is up but has no reply或者The radius server is not reachable。


[Huawei] display aaa online-fail-record mac-address 64e5-99f3-18f6
User name               : test
Domain name             : domain_test
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 32861
User login time         : 2020/10/19 1702
User online fail reason : The radius server is up but has no reply
Authen reply message    : -
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test
[Huawei] display aaa online-fail-record mac-address 64e5-99f3-18f6
User name               : test
Domain name             : domain_test
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 32865
User login time         : 2020/10/19 2021
User online fail reason : The radius server is not reachable
Authen reply message    : -
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test




[Huawei] trace object mac-address 64e5-99f3-18f6
[Huawei] trace enable
[BTRACE][2020/10/19 1703][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_SERVERNOREPLY message(61) from RADIUS module(235).
[BTRACE][2020/10/19 1703][6144][AAA][64e5-99f3-18f6]:
CID:51  TemplateNo:4  SerialNo:62
PriyServer::: Vrf:0
SendServer: Vrf:0
[BTRACE][2020/10/19 1703][6144][AAA][64e5-99f3-18f6]:Radius server is up but no response.
[BTRACE][2020/10/19 1703][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]authen finish,the authen fail code is:8,reason is:Radius server is up but no response.
[BTRACE][2020/10/19 2022][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_SERVERNOREPLY message(61) from RADIUS module(235).
[BTRACE][2020/10/19 2022][6144][AAA][64e5-99f3-18f6]:
CID:55  TemplateNo:4  SerialNo:69
PriyServer::: Vrf:0
SendServer: Vrf:0
[BTRACE][2020/10/19 2022][6144][AAA][64e5-99f3-18f6]:Radius authentication has no response.
[BTRACE][2020/10/19 2022][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]authen finish,the authen fail code is:7,reason is:Radius authentication has no response.



1. 确认RADIUS服务器是否正确添加设备IP。


2. 如果RADIUS服务器已经添加设备IP地址,需要确认添加的设备IP与设备发送RADIUS认证请求报文的源IP是否相同。


a. 先根据RADIUS服务器IP地址查找路由表获取出接口,然后再根据出接口确认IP地址,如果RADIUS服务器添加的设备IP地址与路由出接口地址一致,则不需要再通过命令配置与RADIUS服务器通信的源IP地址。

[Huawei] display ip routing-table
Route Flags: R - relay, D - download to fib
Routing Table : Public
Summary Count : 1
Destination/Mask Proto  Pre Cost Flags NextHop     Interface     Direct 0   0     D   Vlanif12
[Huawei] interface Vlanif 12
[Huawei-Vlanif12] display this
interface Vlanif12
 ip address


b. 如果RADIUS服务器添加的设备IP地址与路由出接口地址不同,则需要在设备上配置与RADIUS服务器通信的源IP地址。源IP地址可在全局下配置,也可在RADIUS服务器模板下配置,RADIUS服务器模板下配置的源IP地址优先级高于全局下的配置。



i. 查看全局是否配置与RADIUS服务器通信的源IP地址:

[Huawei] display radius-server configuration
 Radius Server Source IP Address           : -
 Radius Server Source IPv6 Address         : ::
 Radius Attribute Nas IP Address           : -
 Radius Attribute Nas IPv6 Address         : ::
[Huawei] display radius-server configuration
 Radius Server Source IP Address           :
 Radius Server Source IPv6 Address         : ::
 Radius Attribute Nas IP Address           : -
 Radius Attribute Nas IPv6 Address         : ::


如果“Radius Server Source IP Address”为“-”,则表明全局下没有配置源IP地址,如果“Radius Server Source IP Address”为具体IP地址,则表明配置了源IP地址。

ii. 查看RADIUS服务器模板是否配置与RADIUS服务器通信的源IP地址

[Huawei] radius-server template radius_test
[Huawei-radius-radius_test] display this
radius-server template radius_test
 radius-server shared-key cipher %^%#x[yB5Wd"!3GqH6,@[kW(Xi6PYA%^%#
 radius-server authentication 1812 source ip-address weight 80
 radius-server accounting 1813 source ip-address weight 80
[Huawei] radius-server template radius_test
[Huawei-radius-radius_test] display this
radius-server template radius_test
 radius-server shared-key cipher %^%#x[yB5Wd"!3GqH6,@[kW(Xi6PYA%^%#
 radius-server authentication 1812 source Vlanif 100 weight 80
 radius-server accounting 1813 source Vlanif 100 weight 80
如果RADIUS服务器模板下再认证服务器或计费服务器后面写的“source ip-address”或者“source vlanif”,则表明RADIUS服务器模板下配置了源IP地址。



i. 在全局下配置与RADIUS服务器通信源地址:

[Huawei] radius-server source ip-address
ii. 在RADIUS模板下配置与RADIUS服务器通信源IP地址:
[Huawei] radius-server template radius_test
[Huawei-radius-radius_test] radius-server authentication 1812 source ip-address


3. 确认设备与RADIUS服务器之间中间链路是否正常。

a. 从设备指定源IP ping服务器测试,确认路由是否可达;


[Huawei] ping -a
b. 在设备和服务器同时抓包确认认证报文收发是否正常,常见问题有中间网络存在防火墙,防火墙未放通RADIUS(默认认证端口:1812)报文。


4. 查看RADIUS服务器状态是否正常,STState字段如果不是STState-up状态,则为异常。


[Huawei] display radius-server item template radius_test
  STState    = STState-up
  STChgTime  = -
  Type       = auth-server
  State      = state-up
  AlarmFlag  = false
  STUseNum   = 1
  IPAddress  =
  AlarmTimer = 0xffffffff
  Head       = 10274
  Tail       = 10273
  ProbeID    = 255


5. 确认设备与RADIUS服务器配置的共享密钥(shared-key)是否一致。可以通过test-aaa命令测试,同时开启radius debug打印,debug信息中如出现“Authenticator error·”则表示设备与RADIUS服务器配置的共享密钥不一致,需要同时修改设备与RADIUS服务器上共享密钥,使其相同。


[Huawei] test-aaa test test radius-template radius_test
Oct 24 2020 1549.591.1+08:00 AC6605_129_76 RDS/7/DEBUG:
RADIUS packet: IN (TotalLen=20)
Len 1 ~ 20:
02 08 00 14 F6 DA 06 57 40 25 32 2A A9 70 6E FD
46 F6 B1 25
Oct 24 2020 1549.591.2+08:00 AC6605_129_76 RDS/7/DEBUG:
[RDS(Err):] Receive a illegal packet(Authenticator error), please check share key config.(ip: port:1812)





[Huawei] radius-server template radius_test
[Huawei-radius-radius_test] radius-server shared-key cipher huawei@123




[Huawei] radius-server ip-address shared-key cipher huawei@123



通过命令display aaa online-fail-record mac-address H-H-H查看终端上线失败记录,用户上线失败原因(User online fail reason)显示Authorization data error。


[Huawei] display aaa online-fail-record mac-address 64e5-99f3-18f6
User name               : test
Domain name             : domaintest
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 32873
User login time         : 2020/10/24 1634
User online fail reason : Authorization data error
Authen reply message    : -
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test





[Huawei] trace object mac-address 64e5-99f3-18f6
[Huawei] trace enable




[BTRACE][2020/10/24 1614][6144][RADIUS][64e5-99f3-18f6]:
Received a authentication accept packet from radius server(server ip =
[BTRACE][2020/10/24 1614][6144][RADIUS][64e5-99f3-18f6]:
Server Template: 4
Server IP   :
Server Port : 1812
Protocol: Standard
Code    : 2
Len     : 194
ID      : 194
[Tunnel-Type                        ] [6 ] [13]
[Tunnel-Medium-Type                 ] [6 ] [6]
[Tunnel-Private-Group-ID            ] [6 ] [201]
[EAP-Message                        ] [6 ] [03 4a 00 04 ]
[State                              ] [16] [01uY31125N]
[MS-MPPE-Send-Key                   ] [52] [fb a1 e9 55 16 62 a3 e5 da 35 fc ce 3e 8f ae 7d ac 0a d6 0b 20 59 ad 82 a8 66 88 06 6a 81 10 82 61 95 2e cf 44 50 c0 79 e5 3f a4 32 43 45 a5 9e 2b c4 ]
[MS-MPPE-Recv-Key                   ] [52] [fb a1 e9 65 b1 18 6d 60 8f 0a ed af 53 1e 26 8a e6 18 9d 26 8c 21 c8 4f c2 8a 6a d5 a8 85 8a 9d ba d8 be 8d 97 b8 b8 d3 24 04 21 23 90 71 33 35 f4 6b ]
[Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]
[BTRACE][2020/10/24 1614][6144][RADIUS][64e5-99f3-18f6]:Send authentication reply message to AAA.
[BTRACE][2020/10/24 1614][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_AUTHENACCEPT message(50) from RADIUS module(235).
[BTRACE][2020/10/24 1614][6144][AAA][64e5-99f3-18f6]:
CID:57  TemplateNo:4  SerialNo:73
PriyServer::: Vrf:0
SendServer: Vrf:0
SessionTimeout:0 IdleTimeout:0
AcctInterimInterval:0 RemanentVolume:0
InputPeakRate:0 InputAverageRate:0
OutputPeakRate:0 OutputAverageRate:0
InputBasicRate:0 OutputBasicRate:0
InputPBS:0 OutputPBS:0
Priority:[0,0] DNS:[,]
ServiceType:0 LoginService:0 AdminLevel:0 FramedProtocol:0
LoginIpHost:0 NextHop:0
EapLength:4 ReplyMessage:
TunnelType:13 MediumType:6 PrivateGroupID:201
[BTRACE][2020/10/24 1614][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]AAA check authen ack, check VLANID error!
[BTRACE][2020/10/24 1614][6144][AAA][64e5-99f3-18f6]:Radius authorization data error.
[BTRACE][2020/10/24 1614][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]authen finish,the authen fail code is:16,reason is:Radius authorization data error.


授权VLAN需要同时下发RADIUS 64号属性Tunnel-Type,值固定为13,表示VLAN协议,RADIUS 65号属性Tunnel-Medium-Type,值固定为6,表示以太类型,RADIUS 81号属性Tunnel-Private-Group-ID,支持通过VLAN编号、VLAN描述信息、VLAN名称和VLAN Pool授权,并且授权生效顺序为:VLAN编号 > VLAN描述信息 > VLAN名称 > VLAN Pool。



Received a authentication accept packet from radius server(server ip =
[BTRACE][2020/10/24 1619][6144][RADIUS][64e5-99f3-18f6]:
Server Template: 4
Server IP   :
Server Port : 1812
Protocol: Standard
Code    : 2
Len     : 182
ID      : 205
[Filter-Id                          ] [6 ] [3000]
[EAP-Message                        ] [6 ] [03 4c 00 04 ]
[State                              ] [16] [01uY31432103]
[MS-MPPE-Send-Key                   ] [52] [bd ce 7f 1d bf 78 33 d4 6c 45 d8 d0 1b f7 ee d2 02 16 7a ac fd 62 25 88 f7 84 7a 22 44 d8 01 8a 99 a3 33 66 7d 47 e9 a7 ed 88 d5 01 f8 62 4f 9d cd 56 ]
[MS-MPPE-Recv-Key                   ] [52] [bd ce 7f 54 6f 27 35 d1 01 5c f1 5e aa e8 27 91 c7 8b 89 2f 06 8f ac 46 13 5c 92 78 ec cf 39 aa dc bb f8 ff b1 b8 5c 42 6b f8 ca 80 76 b1 e8 35 c9 ed ]
[Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]
[BTRACE][2020/10/24 1619][6144][RADIUS][64e5-99f3-18f6]:Send authentication reply message to AAA.
[BTRACE][2020/10/24 1619][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_AUTHENACCEPT message(50) from RADIUS module(235).
[BTRACE][2020/10/24 1619][6144][AAA][64e5-99f3-18f6]:
CID:58  TemplateNo:4  SerialNo:75
PriyServer::: Vrf:0
SendServer: Vrf:0
SessionTimeout:0 IdleTimeout:0
AcctInterimInterval:0 RemanentVolume:0
InputPeakRate:0 InputAverageRate:0
OutputPeakRate:0 OutputAverageRate:0
InputBasicRate:0 OutputBasicRate:0
InputPBS:0 OutputPBS:0
Priority:[0,0] DNS:[,]
ServiceType:0 LoginService:0 AdminLevel:0 FramedProtocol:0
LoginIpHost:0 NextHop:0
EapLength:4 ReplyMessage:
TunnelType:0 MediumType:0 PrivateGroupID:
[BTRACE][2020/10/24 1619][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]AAA check radius authen ack, check acl error!
[BTRACE][2020/10/24 1619][6144][AAA][64e5-99f3-18f6]:Radius authorization data error.
[BTRACE][2020/10/24 1619][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]authen finish,the authen fail code is:16,reason is:Radius authorization data error.


授权ACL须知:无线场景下,授权ACL ID取值范围为3000-3031,ACL中rule id最大为64。


1. 确认是否需要对应的授权。





[Huawei] radius-server template radius_test
[Huawei-radius-radius_test] radius-server attribute translate
[Huawei-radius-radius_test] radius-attribute disable Tunnel-Private-Group-ID receive




[Huawei] radius-server template radius_test
[Huawei-radius-radius_test] radius-server attribute translate
[Huawei-radius-radius_test] radius-attribute disable Filter-Id receive


通过命令display aaa online-fail-record mac-address H-H-H查看终端上线失败记录,用户上线失败原因(User online fail reason)显示Remote user is blocked。


[Huawei] display aaa online-fail-record mac-address 64e5-99f3-18f6
User name               : test
Domain name             : domaintest
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 16450
User login time         : 2020/11/03 1915
User online fail reason : Remote user is blocked
Authen reply message    : -
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test







[Huawei] display remote-user authen-fail blocked
Interval: Retry Interval(Mins)
TimeLeft: Retry Time Left
BlockDuration: Block Duration(Mins)
Username  Interval  TimeLeft  BlockDuration  BlockTime
test       0         0         5              2020-11-03 1914+08:00
Total 1, 1 printed




[Huawei] aaa
[Huawei-aaa] remote-user authen-fail unblock username test




[Huawei] aaa
[Huawei-aaa] undo remote-aaa-user authen-fail




[Huawei] aaa
[Huawei-aaa] undo access-user remote authen-fail


在系统视图下执行命令trace object mac-address mac-address可以看到提示User is still in quiet status,说明终端处于静默状态。


[BTRACE][2020/11/21 1501][7177][EAPoL][000c-291a-4b03]:User is still in quiet status.(MAC:000c-291a-4b03)    //终端处于静默状态,报文被丢弃
[BTRACE][2020/11/21 1501][7177][EAPoL][000c-291a-4b03]:Quiet table check failure,drop the packet.


可以执行命令display dot1x quiet-user all,查看用户MAC处于静默状态的剩余静默时间。


[Huawei] display dot1x quiet-user all
MacAddress                      Quiet Remain Time(Sec)
000c-291a-4b03                  49
1 silent mac address(es) found, 1 printed.


该终端用户在60s内连续802.1X认证失败达到一定次数,需要确认认证账号前多次认证失败原因,等到用户MAC退出静默状态后再重新尝试。也可以在系统视图下执行命令dot1x timer quiet-period quiet-period-times调小802.1X用户被静默的时间。


[Huawei] dot1x timer quiet-period 60
终端不响应EAP报文 终端不响应Request Identity


通过业务诊断功能,追踪终端用户上线认证过程,看到设备发出Request Identity报文后没有收到回应,超时后设备进行了重传:


[Huawei] trace object mac-address 64e5-99f3-18f6
[Huawei] trace enable
[BTRACE][2020/11/02 1445][6144][EAPoL][64e5-99f3-18f6]:Send a EAPoL request identity packet to user.
[BTRACE][2020/11/02 1445][6144][EAPoL][64e5-99f3-18f6]:Add a Eap Packet Node to EAPOL Ucib, MAC is 64e5-99f3-18f6.
[BTRACE][2020/11/02 1445][6144][EAPoL][64e5-99f3-18f6]:
EAPOL packet: OUT
64 e5 99 f3 18 f6 84 5b 12 69 22 e8 81 00 00 c8
88 8e 01 00 00 05 01 60 00 05 01
[BTRACE][2020/11/02 1445][6144][EAPoL][64e5-99f3-18f6]:
802.1x packet:
Version:802.1X-2001(1); Type:Eap(0); Length:5
EAPOL packet:
Code:Request(1); Id:96; Length:5; Type:Identity(1)
[BTRACE][2020/11/02 1445][6144][EAPoL][64e5-99f3-18f6]:Send EAP_request packet to user successfully.(Index=120)
[BTRACE][2020/11/02 1445][6144][WLAN_AC][64e5-99f3-18f6]:[Process:6][WSTA] Process eapol start message up sucessfully.
[BTRACE][2020/11/02 1445][6144][WLAN_AC][64e5-99f3-18f6]:[Process:6][WADP] Receive EAP authentication ack message from EAPOL(Value:0, Code:0, Current SN:159, Response SN:159).
[BTRACE][2020/11/02 1445][6144][WLAN_AC][64e5-99f3-18f6]:[Process:6][WSTA] Sta table aging.
[BTRACE][2020/11/02 1447][6144][EAPoL][64e5-99f3-18f6]:No response of request identity from user.
[BTRACE][2020/11/02 1447][6144][EAPoL][64e5-99f3-18f6]:Resend a EAPoL request identity packet to user.
[BTRACE][2020/11/02 1447][6144][EAPoL][64e5-99f3-18f6]:Add a Eap Packet Node to EAPOL Ucib, MAC is 64e5-99f3-18f6.
[BTRACE][2020/11/02 1447][6144][EAPoL][64e5-99f3-18f6]:
EAPOL packet: OUT
64 e5 99 f3 18 f6 84 5b 12 69 22 e8 81 00 00 c8
88 8e 01 00 00 05 01 60 00 05 01
[BTRACE][2020/11/02 1447][6144][EAPoL][64e5-99f3-18f6]:
802.1x packet:
Version:802.1X-2001(1); Type:Eap(0); Length:5
EAPOL packet:
Code:Request(1); Id:96; Length:5; Type:Identity(1)
[BTRACE][2020/11/02 1447][6144][EAPoL][64e5-99f3-18f6]:Send EAP_request packet to user successfully.(Index=120)



查看业务VLAN是否创建(以业务VLAN 200为例):


[Huawei] display vlan summary
static vlan:
Total 12 static vlan exist(s).
1 10 12 100 111 to 112 999 1110 to 1114
dynamic vlan:
Total 0 dynamic vlan exist(s).


创建业务VLAN(以业务VLAN 200为例):


[Huawei] vlan 200


终端不响应Request Challenge

通过业务诊断功能,追踪终端用户上线认证过程,看到设备发出Request Challeng报文没有收到回应,超时后设备进行了重传,超过重传次数后设备发送了Failure报文:


[Huawei] trace object mac-address 64e5-99f3-18f6
[Huawei] trace enable
[BTRACE][2020/11/03 1400][6144][EAPoL][64e5-99f3-18f6]:Eapol send authentication request challenge packet to user.
[BTRACE][2020/11/03 1400][6144][EAPoL][64e5-99f3-18f6]:Add a Eap Packet Node to EAPOL Ucib, MAC is 64e5-99f3-18f6.
[BTRACE][2020/11/03 1400][6144][EAPoL][64e5-99f3-18f6]:
EAPOL packet: OUT
64 e5 99 f3 18 f6 84 5b 12 69 22 e8 81 00 00 c8
88 8e 01 00 00 41 01 6c 00 41 19 00 14 03 01 00
01 01 16 03 01 00 30 85 17 ee 90 6c 84 62 9f 66
28 bb d7 29 2c e4 3f 44 dd 79 aa 10 54 3b 6d 54
ac 8e c8 6b a8 3f f7 cd 68 47 4f cc 9a a3 4e ba
0f b5 88 00 22 3e 0a
[BTRACE][2020/11/03 1400][6144][EAPoL][64e5-99f3-18f6]:
802.1x packet:
Version:802.1X-2001(1); Type:Eap(0); Length:65
EAPOL packet:
Code:Request(1); Id:108; Length:65; Type:PEAP(25)
[BTRACE][2020/11/03 1400][6144][EAPoL][64e5-99f3-18f6]:Send EAP_request packet to user successfully.(Index=122)
[BTRACE][2020/11/03 1400][6144][EAPoL][64e5-99f3-18f6]:Eapol send request/challenge packet to user successfully.enter request status.(local index:122)
[BTRACE][2020/11/03 1402][6144][EAPoL][64e5-99f3-18f6]:No response of request challenge from user.
[BTRACE][2020/11/03 1402][6144][EAPoL][64e5-99f3-18f6]:Resend a EAPoL request challenge packet to user.
[BTRACE][2020/11/03 1402][6144][EAPoL][64e5-99f3-18f6]:Add a Eap Packet Node to EAPOL Ucib, MAC is 64e5-99f3-18f6.
[BTRACE][2020/11/03 1402][6144][EAPoL][64e5-99f3-18f6]:
EAPOL packet: OUT
64 e5 99 f3 18 f6 84 5b 12 69 22 e8 81 00 00 c8
88 8e 01 00 00 41 01 6c 00 41 19 00 14 03 01 00
01 01 16 03 01 00 30 85 17 ee 90 6c 84 62 9f 66
28 bb d7 29 2c e4 3f 44 dd 79 aa 10 54 3b 6d 54
ac 8e c8 6b a8 3f f7 cd 68 47 4f cc 9a a3 4e ba
0f b5 88 00 22 3e 0a
[BTRACE][2020/11/03 1402][6144][EAPoL][64e5-99f3-18f6]:
802.1x packet:
Version:802.1X-2001(1); Type:Eap(0); Length:65
EAPOL packet:
Code:Request(1); Id:108; Length:65; Type:PEAP(25)
[BTRACE][2020/11/03 1402][6144][EAPoL][64e5-99f3-18f6]:Send EAP_request packet to user successfully.(Index=122)
[BTRACE][2020/11/03 1403][6144][WLAN_AC][64e5-99f3-18f6]:[Process:6][WSTA] Sta table aging.
[BTRACE][2020/11/03 1403][2048][WLAN_AC][64e5-99f3-18f6]:[Process:2][WSTA] Flow fork MultiSta MsgType3101 Vcpu6
[BTRACE][2020/11/03 1403][2048][WLAN_AC][64e5-99f3-18f6]:[Process:2][WSTA] Flow fork MultiSta MsgType3121 Vcpu6
[BTRACE][2020/11/03 1404][6144][EAPoL][64e5-99f3-18f6]:No response of request challenge from user.
[BTRACE][2020/11/03 1404][6144][EAPoL][64e5-99f3-18f6]:Resend a EAPoL request challenge packet to user.
[BTRACE][2020/11/03 1404][6144][EAPoL][64e5-99f3-18f6]:Add a Eap Packet Node to EAPOL Ucib, MAC is 64e5-99f3-18f6.
[BTRACE][2020/11/03 1404][6144][EAPoL][64e5-99f3-18f6]:
EAPOL packet: OUT
64 e5 99 f3 18 f6 84 5b 12 69 22 e8 81 00 00 c8
88 8e 01 00 00 41 01 6c 00 41 19 00 14 03 01 00
01 01 16 03 01 00 30 85 17 ee 90 6c 84 62 9f 66
28 bb d7 29 2c e4 3f 44 dd 79 aa 10 54 3b 6d 54
ac 8e c8 6b a8 3f f7 cd 68 47 4f cc 9a a3 4e ba
0f b5 88 00 22 3e 0a
[BTRACE][2020/11/03 1404][6144][EAPoL][64e5-99f3-18f6]:
802.1x packet:
Version:802.1X-2001(1); Type:Eap(0); Length:65
EAPOL packet:
Code:Request(1); Id:108; Length:65; Type:PEAP(25)
[BTRACE][2020/11/03 1404][6144][EAPoL][64e5-99f3-18f6]:Send EAP_request packet to user successfully.(Index=122)
[BTRACE][2020/11/03 1406][6144][EAPoL][64e5-99f3-18f6]:No response of request challenge from user.
[BTRACE][2020/11/03 1406][6144][EAPoL][64e5-99f3-18f6]:Resend EAP_request/identity times exceed max times.(Index=122)
[BTRACE][2020/11/03 1406][6144][EAPoL][64e5-99f3-18f6]:Send EAP-Failure packet to user.
[BTRACE][2020/11/03 1406][6144][EAPoL][64e5-99f3-18f6]:Add a Eap Packet Node to EAPOL Ucib, MAC is 64e5-99f3-18f6.
[BTRACE][2020/11/03 1406][6144][EAPoL][64e5-99f3-18f6]:
EAPOL packet: OUT
64 e5 99 f3 18 f6 84 5b 12 69 22 e8 81 00 00 c8
88 8e 01 00 00 04 04 6c 00 04
[BTRACE][2020/11/03 1406][6144][EAPoL][64e5-99f3-18f6]:
802.1x packet:
Version:802.1X-2001(1); Type:Eap(0); Length:4
EAPOL packet:
Code:Failure(4); Id:108; Length:4; Type:Unknown(0)


终端不响应Request Challenge排查步骤如下:

1. 首先在AC上采集station-trace信息(station-trace信息记录的是AP收发EAP报文情况)。


[Huawei-diagnose] station-trace sta-mac 64e5-99f3-18f6


2. 按顺序确认以下四个信息:


<7>Nov 03 2020 1458.20.1 AP-10 WSRV/7/BTRACEreceive eap pkt to sta from CAPWAP(9),[type(0)=EAP pkt, src mac=841222:e8, len=1122]
<7>Nov 03 2020 1458.20.2 AP-10 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][64E5-99F3-18F6]:SeqNo[28] [EAPOL] EAPOL packet payload[1100] Recved from software switch  //AP收到AC发送的EAP Request challenge报文
<7>Nov 03 2020 1458.20.3 AP-10 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][64E5-99F3-18F6]:SeqNo[28] [EAPOL] EAPOL packet payload[1100] elapsed[0 ms] Sending pkt to target(Single)
<7>Nov 03 2020 1458.70.1 AP-10 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][64E5-99F3-18F6]:SeqNo[28] [EAPOL] EAPOL packet payload[1100] elapsed[30 ms] Success to send pkt to air  //AP向终端发送EAP Request challenge报文
<7>Nov 03 2020 1458.70.2 AP-10 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][64E5-99F3-18F6]:SeqNo[29] [EAPOL] EAPOL packet payload[6] Recved from target  //AP收到终端发送的EAP Response challenge报文
<7>Nov 03 2020 1458.70.3 AP-10 WIFI7/BTRACE:[BTRACE][WLAN_WIFI][64E5-99F3-18F6]:SeqNo[29] [EAPOL] EAPOL packet payload[6] elapsed[0 ms] Entering rx reorder
<7>Nov 03 2020 1458.70.4 AP-10 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][64E5-99F3-18F6]:SeqNo[29] [EAPOL] EAPOL packet payload[6] elapsed[0 ms] Exiting rx reorder for release
<7>Nov 03 2020 1458.70.5 AP-10 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][64E5-99F3-18F6]:SeqNo[29] [EAPOL] EAPOL packet payload[6] elapsed[0 ms] Success to send pkt to software switch  //AP向AC发送EAP Response challenge报文
<7>Nov 03 2020 1458.70.6 AP-10 WSRV/7/BTRACEreceive eap pkt from sta by BSS(26),[type(0)=EAP pkt, dest mac=18d7c1:20, len=28]



a. AP是否收到AC发送的EAP Request challenge报文。 根据station-trace,确认AP是否收到AC发送的EAP Request challenge请求报文(Recved from software switch)。如果AP没有收到AC发送的EAP Request challenge请求报文,可首先在AP上开启转发debug,看AP转发有没有收到,如果AP转发没有收到,再在AC上开启转发debug,看AC转发有没有发送,如果确认AP转发接收和AC转发发送都没有问题,则需要在中间链路抓包,可能被中间链路丢弃。 b. AP收到后是否将EAP Request challenge报文发送给终端。 根据station-trace,确认AP是否成功将EAP Request challenge报文发送给终端(Success to send pkt to air)。 c. AP是否收到终端EAP Response challenge报文。 根据station-trace,确认AP是否收到终端发送的EAP Response challenge报文(Recved from target)。 d. AP是否将EAP Response challenge报文发送给AC。 根据station-trace,确认AP是否成功将EAP Response challenge报文发送给AC(Success to send pkt to software switch)。如果station-trace显示发送成功,但AC没有收到,可首先在AC上开启转发debug,看AC转发有没有收到,如果AC转发没有收到,再在AP上开启转发debug,看AP转发有没有发送,如果确认AC转发接收和AP转发发送都没有问题,则需要在中间链路抓包,可能被中间链路丢弃。

3. 还有一个可能原因,RADIUS服务器发送的Access-challenge报文中EAP内容比较大(长度都超过1200),导致终端接收大的EAP Request challenge报文失败,可在station-trace中确认。


May 13 2019 1710.230.6+00:00 G12-AP-09-3 WSRV/7/BTRACE:[BTRACE][WLAN_AP][3C2E-FF90-662F]:receive eap pkt to sta from CAPWAP(23),[type(0)=EAP pkt, src mac=107285:e6, len=1518]
May 13 2019 1710.230.7+00:00 G12-AP-09-3 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][3C2E-FF90-662F]:SeqNo[3259] [EAPOL] EAPOL packet payload[1496] Recved from software switch
May 13 2019 1710.230.8+00:00 G12-AP-09-3 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][3C2E-FF90-662F]:SeqNo[3259] [EAPOL] EAPOL packet payload[1496] elapsed[0 ms] Sending pkt to target(Single)
May 13 2019 1710.240.1+00:00 G12-AP-09-3 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][3C2E-FF90-662F]:SeqNo[3259] [EAPOL] EAPOL packet payload[1496] elapsed[0 ms] Fail to send pkt to air with status[2]


如上所示,EAP Request challenge报文长度为1496,AP发送给终端失败,该问题有两种解决方式





[Huawei] radius-server template radius_test
[Huawei-radius-radius_test] radius-server attribute translate
[Huawei-radius-radius_test] radius-attribute set Framed-Mtu 1000



在系统视图下执行命令trace object mac-address mac-address可以看到提示4-way-handshake failed,说明四步握手失败。


[BTRACE] [2020/11/30 1142][3072][WLAN_AC][0433-c2ad-9008]:[Process:3][WSTA] Receive elb table process(Ap:22, radio:1, wlan:1, vlan:1199, access mode:0, L3:0, version:0, IP:00000000, code:0, type:2)
[BTRACE][2020/11/30 1142][6144][WLAN_AC][0433-c2ad-9008]:[Process:6][WSEC] 4-way-handshake failed (Code:00000003).






检查接入模板下有没有配置dot1x reauthenticate命令,如果有,删除掉该配置:


[Huawei] dot1x-access-profile name access_dot1x
[Huawei--dot1x-access-profile-access_dot1x] display this
dot1x-access-profile name access_dot1x
dot1x reauthenticate





[Huawei] trace object mac-address 64e5-99f3-18f6
[Huawei] trace enable
[BTRACE][2020/10/24 1614][6144][RADIUS][64e5-99f3-18f6]:
Received a authentication accept packet from radius server(server ip =
[BTRACE][2020/10/24 1614][6144][RADIUS][64e5-99f3-18f6]:
Server Template: 4
Server IP   :
Server Port : 1812
Protocol: Standard
Code    : 2
Len     : 194
ID      : 194
[Session-Timeout                ] [6 ] [3600]
[Termination-Action             ] [6 ] [1]
[EAP-Message                        ] [6 ] [03 4a 00 04 ]
[State                              ] [16] [01uY31125N]
[MS-MPPE-Send-Key                   ] [52] [fb a1 e9 55 16 62 a3 e5 da 35 fc ce 3e 8f ae 7d ac 0a d6 0b 20 59 ad 82 a8 66 88 06 6a 81 10 82 61 95 2e cf 44 50 c0 79 e5 3f a4 32 43 45 a5 9e 2b c4 ]
[MS-MPPE-Recv-Key                   ] [52] [fb a1 e9 65 b1 18 6d 60 8f 0a ed af 53 1e 26 8a e6 18 9d 26 8c 21 c8 4f c2 8a 6a d5 a8 85 8a 9d ba d8 be 8d 97 b8 b8 d3 24 04 21 23 90 71 33 35 f4 6b ]
[Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]




[Huawei] radius-server template radius_test
[Huawei-radius-radius_test] radius-server attribute translate
[Huawei-radius-radius_test] radius-attribute disable Termination-Action receive 
[Huawei-radius-radius_test] radius-attribute disable Session-Timeout receive





[Huawei] display access-user mac-address xxxx-xxxx-xxxx




[Huawei] trace object mac-address xxxx-xxxx-xxxx
[Huawei] trace enable




[Huawei-diagnose] station-trace sta-mac xxxx-xxxx-xxxx




[Huawei] undo trace object mac-address xxxx-xxxx-xxxx
[Huawei] undo trace enable
[Huawei-diagnose] undo station-trace sta-mac xxxx-xxxx-xxxx





[Huawei] display aaa online-fail-record mac-address xxxx-xxxx-xxxx
[Huawei] display aaa abnormal-offline-record mac-address xxxx-xxxx-xxxx
[Huawei] display aaa offline-record mac-address xxxx-xxxx-xxxx




[Huawei-diagnose] display station online-fail-record sta-mac xxxx-xxxx-xxxx
[Huawei-diagnose] display station offline-record sta-mac xxxx-xxxx-xxxx





[Huawei-diagnose] display dot1x abnormal-eap-track mac xxxx-xxxx-xxxx




[Huawei-diagnose] display aaa abnormal-radius-track mac xxxx-xxxx-xxxx



AAA上线日志(记录在AC log日志中)


%%01CM/5/USER_ACCESSRESULT(s)[395622]:[WLAN_STA_INFO_AUTHENTICATION]ACMAC:xx-xx-xx-xx-xx-xx;ACNAME:xxx;APMAC:xx-xx-xx-xx-xx-xx;APNAME:xxx;SSID:xxx;RADIOID:1;USER:xxx;MAC:xx-xx-xx-xx-xx-xx;IPADDRESS:-;TIME:1608639482;ZONE:UTC+0300;DAYLIGHT:false;ERRCODE:4294967295;RESULT:Open;USERGROUP:NULL;CIB ID:10192;INTERFACE:Wlan-Dbss18108;ACCESS TYPE:None;RDSIP:-;Portal TYPE:-;AUTHID=866625466;AuthFailType:MAC;AUTHPROTOCOL:PAP;


AAA下线日志(记录在AC log日志中)


%%01CM/5/USER_OFFLINERESULT(s)[395621]:[WLAN_STA_INFO_OFFLINE]ACMAC:xx-xx-xx-xx-xx-xx;ACNAME:xxx;APMAC:xx-xx-xx-xx-xx-xx;APNAME:xxx;SSID:xxx;RADIOID:1;USER:xxx;MAC:xx-xx-xx-xx-xx-xx;IPADDRESS:-;TIME:1608639482;ZONE:UTC+0300;DAYLIGHT:false;SESSIONTIME:2;ERRCODE:208;RESULT:Authentication during association failed;USERGROUP:NULL;AUTHENPLACE:None;EXTENDINFO:The signal strength of the STA is -43 dbm.;CIB ID:11430;INTERFACE:Wlan-Dbss18108;ACCESS TYPE:None;RDSIP:-;Portal TYPE:-;AUTHID=1837558961;AUTHPROTOCOL:-;


AP上dot1x高精度日志(记录在AP log日志中)


%%01WSRV/6/STA_EVENT_DOT1X_PROC(l)[294062]:dot1x authentication procedure(ApMac=xx-xx-xx-xx-xx-xx,UserMac=xx-xx-xx-xx-xx-xx,Identify=xxx,RadioId=1,Band=2,VapId=20,SSID=xxx,Result=Fail,Msg=ae 5 17;se 0 19;se 38 26;ae 6 47;se 166 49;ae 1012 77;se 6 104;ae 1008 121;se 6 122;ae 10 154;se 136 162;ae 57 219;se 6 229;ae 36 246;se 69 248;ae 69 269;se 123 272;ae 82 293;se 37 294;ae 46 314;se 46 315;ae 4





[Huawei] display diagnostic-information


原文标题:S系列交换机维护宝典 | 802.1X认证失败




